I have an timechart (over 1 hour) with "count by STATUS" and i changed the span of the timechart to 4s, since Splunk can chart at max 1000 points in one chart. Now it shows me, how many times p.e. "OK" appears in 4 seconds.
I want the value for just 1 second. Since it's not possible to just set span=1s, I have tried with some per_second value, but I couldn't get it to work fine.
rex max_match=10 "state-text\d\":\"(?P[]\w ]+)" | timechart span=4s count by state_text | timechart span=4s per_second(count)
If there are multiple status, I want multiple lines with the average of count over 4 seconds.
hi, try with bucket command
...|bucket span=1s _time |timechart count by STATUS